Making some progress but things still don't work.
The startup log (edited) looks like this (domain name changed to mysite.com):
[2015-08-27 03:56:03] Server INFO Jetty server config file = myconfig.xml
[2015-08-27 03:56:03] Server INFO Fuseki 2.3.0 2015-07-25T17:11:28+0000
[2015-08-27 03:56:03] Config INFO FUSEKI_HOME=/home/ec2-user/fuseki
[2015-08-27 03:56:03] Config INFO FUSEKI_BASE=/home/ec2-user/fuseki/run
[2015-08-27 03:56:03] Servlet INFO Initializing Shiro environment
[2015-08-27 03:56:03] Config INFO Shiro file:
file:///home/ec2-user/fuseki/run/shiro.ini
[2015-08-27 03:56:03] Config INFO Template file: templates/config-tdb-dir
[2015-08-27 03:56:03] Config INFO TDB dataset: directory=ds
[2015-08-27 03:56:03] Config INFO Register: /ds
[2015-08-27 03:56:03] AbstractLifeCycle WARN FAILED
ServerConnector@7e5441{SSL-http/1.1}{mysite.com:8443}:
java.net.BindException: Cannot assign requested address
java.net.BindException: Cannot assign requested address
at sun.nio.ch.Net.bind0(Native Method)
at sun.nio.ch.Net.bind(Net.java:433)
at sun.nio.ch.Net.bind(Net.java:425)
....
....
....
[2015-08-27 03:56:03] AbstractLifeCycle WARN FAILED
org.eclipse.jetty.server.Server@f9ed3e: java.net.BindException: Cannot
assign requested address
java.net.BindException: Cannot assign requested address
at sun.nio.ch.Net.bind0(Native Method)
at sun.nio.ch.Net.bind(Net.java:433)
at sun.nio.ch.Net.bind(Net.java:425)
....
....
....
[2015-08-27 03:56:03] Server ERROR SPARQLServer (port=0): Failed
to start server: Cannot assign requested address
And I'm running fuseki 2.3.0 with this command:
nohup ./fuseki-server --port 8443 --update
--jetty-config=myconfig.xml --loc=ds /ds
The "myconfig.xml" file is below (I've already added my certificate
and key to the Java 8 JSSE):
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN"
"http://www.eclipse.org/jetty/configure.dtd";>
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server"><Ref refid="Server" /></Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<Item>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config"><Ref refid="httpConfig" /></Arg>
</New>
</Item>
</Array>
</Arg>
</New>
</Arg>
</Call>
<New id="sslContextFactory"
class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Set name="KeyStorePath">/home/ec2-user/keystore</Set>
<Set name="KeyStorePassword">somepassword</Set>
<Set name="KeyManagerPassword">somepassword</Set>
<Set name="TrustStorePath">/home/ec2-user/keystore</Set>
<Set name="TrustStorePassword">somepassword</Set>
</New>
<Call id="sslConnector" name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server"><Ref refid="Server" /></Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<Item>
<New class="org.eclipse.jetty.server.SslConnectionFactory">
<Arg name="next">http/1.1</Arg>
<Arg name="sslContextFactory"><Ref
refid="sslContextFactory"/></Arg>
</New>
</Item>
<Item>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config"><Ref refid="tlsHttpConfig"/></Arg>
</New>
</Item>
</Array>
</Arg>
<Set name="host"><Property name="jetty.host"/></Set>
<Set name="port"><Property name="jetty.tls.port" default="8443" /></Set>
<Set name="idleTimeout">30000</Set>
<Set name="host">mysite.com</Set>
</New>
</Arg>
</Call>
</Configure>
===================================
On Tue, Aug 25, 2015 at 5:17 PM, Jason Levitt <[email protected]> wrote:
> I can't find any examples of the file that you hand to "--jetty-config"
>
> The "official" jetty docs for configuring SSL imply that there are two
> configuration files,
> jetty-ssl-context.xml and jetty-https.xml.
> (http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html)
>
> The example that you cite:
>
> http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/jetty-https.xml
>
> says that: "This configuration must be used in conjunction with
> jetty.xml and jetty-ssl.xml"
>
> Where do these files go? The Fuseki download does not have any "etc"
> directory or
> any xml configuration files at all.
>
> So, I tried handing some XML config files to Fuseki using
> --jetty-config and it gives very little
> info in the error (see below). Has anyone actually successfully run
> Fuseki over SSL?
>
> [2015-08-25 22:13:34] Server INFO Jetty server config file =
> ./jetty-https.xml
> [2015-08-25 22:13:34] Server ERROR SPARQLServer: Failed to
> configure server: Unknown configuration type: Call in
> org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
> java.lang.IllegalStateException: Unknown configuration type: Call in
> org.eclipse.jetty.xml.XmlConfiguration@1d80d2b
> at org.eclipse.jetty.xml.XmlConfiguration.setConfig(XmlConfiguration.java:198)
> at org.eclipse.jetty.xml.XmlConfiguration.<init>(XmlConfiguration.java:177)
> at org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:264)
> at
> org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
> at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
> at
> org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
> at
> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
> at
> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
> org.apache.jena.fuseki.FusekiException: Failed to configure a server
> using configuration file './jetty-https.xml'
> at org.apache.jena.fuseki.jetty.JettyFuseki.configServer(JettyFuseki.java:269)
> at
> org.apache.jena.fuseki.jetty.JettyFuseki.buildServerWebapp(JettyFuseki.java:222)
> at org.apache.jena.fuseki.jetty.JettyFuseki.<init>(JettyFuseki.java:91)
> at
> org.apache.jena.fuseki.jetty.JettyFuseki.initializeServer(JettyFuseki.java:86)
> at
> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.exec(FusekiCmd.java:335)
> at jena.cmd.CmdMain.mainMethod(CmdMain.java:93)
> at jena.cmd.CmdMain.mainRun(CmdMain.java:58)
> at jena.cmd.CmdMain.mainRun(CmdMain.java:45)
> at
> org.apache.jena.fuseki.cmd.FusekiCmd$FusekiCmdInner.innerMain(FusekiCmd.java:96)
> at org.apache.jena.fuseki.cmd.FusekiCmd.main(FusekiCmd.java:59)
>
> J
>
>
> On Fri, Aug 21, 2015 at 4:14 AM, Andy Seaborne <[email protected]> wrote:
>> On 20/08/15 22:37, Jason Levitt wrote:
>>>
>>> Thanks. So I can still use the "--jetty-config" option with Fuseki v2.30 ?
>>>
>>> J
>>
>>
>> Yes, should work to pass in the file. There was a major jetty version
>> change (8 to 9) and what effect that has had on that option is unclear to
>> me. Connector changed Jetty 8->9
>>
>> http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html
>>
>> and their example:
>>
>> http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/jetty-server/src/main/config/etc/jetty-https.xml
>>
>> It would be good to add this to the distribution - if you or anyone else has
>> a working version, I'd be very grateful to get a copy.
>>
>>
>> Andy
>>
>>>
>>> On Thu, Aug 20, 2015 at 3:46 PM, Andy Seaborne <[email protected]> wrote:
>>>>
>>>> On 20/08/15 21:24, Jason Levitt wrote:
>>>>>
>>>>>
>>>>> Which version of Jetty does Fuseki 2.30 (the latest version) use?
>>>>>
>>>>> J
>>>>
>>>>
>>>>
>>>>
>>>> http://central.maven.org/maven2/org/apache/jena/jena-fuseki/2.3.0/jena-fuseki-2.3.0.pom
>>>>
>>>> ==> Jetty 9.1.1.v20140108
>>>>
>>>> Andy
>>>>
>>>>
>>>>>
>>>>> On Thu, Aug 20, 2015 at 6:14 AM, Andy Seaborne <[email protected]> wrote:
>>>>>>
>>>>>>
>>>>>> The Jetty documentation is the best place to go for details of setting
>>>>>> up
>>>>>> Jetty.
>>>>>>
>>>>>> Here's one in the examples/ area but as far as I can tell it's more int
>>>>>> he
>>>>>> category of "should work" (it is from Fuseki1 and that was a different
>>>>>> version of Jetty) rather than tested.
>>>>>>
>>>>>>
>>>>>>
>>>>>> https://github.com/apache/jena/blob/master/jena-fuseki2/examples/jetty-fuseki.xml
>>>>>>
>>>>>> If you, or anyone else, has a better example - please send it.
>>>>>>
>>>>>> Andy
>>>>>>
>>>>>>
>>>>>> On 20/08/15 02:54, Jason Levitt wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> We're in an AWS environment using Fuseki 2 with built-in Jetty. It
>>>>>>> only talks to internal machines so there
>>>>>>> is no need to protect it from external exposure. So that means that
>>>>>>> the easiest way is to use the
>>>>>>> `--jetty-config` flag to setup HTTPS to Jetty? Are there any docs on
>>>>>>> what the options are for that
>>>>>>> config file (e.g. what goes into the config file)?
>>>>>>>
>>>>>>> J
>>>>>>>
>>>>>>> On Tue, Aug 18, 2015 at 3:21 PM, Andy Seaborne <[email protected]>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Right. In a production environment, a reverse proxy is useful for
>>>>>>>> several
>>>>>>>> things and while there is nothing that force a reverse proxy, the
>>>>>>>> weight
>>>>>>>> of
>>>>>>>> features can mean it's a useful and flexible thing to put into a
>>>>>>>> production
>>>>>>>> system.
>>>>>>>>
>>>>>>>> 1/ Blocking undesirable clients
>>>>>>>> (manic crawlers, badly written PHP scripts)
>>>>>>>> 2/ more robust to DOS attacks (and accidental attacks)
>>>>>>>> Java web containers just aren't as good under silly load
>>>>>>>> conditions.
>>>>>>>> 3/ URL rewrite
>>>>>>>> E.g don't need /dataset/query - can be any URL you like.
>>>>>>>> 4/ Security
>>>>>>>> integrate with local systems; rich choice of controls.
>>>>>>>> Control who and what can update
>>>>>>>> No need to restart for shiro chnages.
>>>>>>>> 5/ Rate control (e.g. no more than N queries at a time)
>>>>>>>> 6/ https (can be expensive so a C-implementation can help)
>>>>>>>> 7/ Lots of add-ons and mods for all sorts of tasks.
>>>>>>>> 8/ Lots of Q&A on stackoverflow!
>>>>>>>>
>>>>>>>> Fuseki has "--localhost" to only talk to the machine's localhost
>>>>>>>> network
>>>>>>>> interface. In an environment like AWS, where port control is easily,
>>>>>>>> it's
>>>>>>>> trivial to secure the Fuseki server to only talk to the local reverse
>>>>>>>> proxy
>>>>>>>> by blocking all ports except (22 and) 80+443.
>>>>>>>>
>>>>>>>> Andy
>>>>>>>>
>>>>>>>>
>>>>>>>> On 18/08/15 20:21, A. Soroka wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I checked more carefully (should have done that before replying) and
>>>>>>>>> it
>>>>>>>>> seems that Fuseki 2 also offers the `--jetty-config` flag for using
>>>>>>>>> a
>>>>>>>>> Jetty
>>>>>>>>> configuration that supports HTTPS:
>>>>>>>>>
>>>>>>>>> --jetty-config=FILE Set up the server (not services) with a Jetty
>>>>>>>>> XML
>>>>>>>>> file
>>>>>>>>>
>>>>>>>>> ---
>>>>>>>>> A. Soroka
>>>>>>>>> The University of Virginia Library
>>>>>>>>>
>>>>>>>>> On Aug 18, 2015, at 10:34 AM, [email protected]
>>>>>>>>> <[email protected]> wrote:
>>>>>>>>>
>>>>>>>>>> Are you deploying Fuseki to your own servlet container (e.g. Tomcat
>>>>>>>>>> or
>>>>>>>>>> Jetty) or using the server included with Fuseki and is it Fuskei 1
>>>>>>>>>> or
>>>>>>>>>> 2?
>>>>>>>>>>
>>>>>>>>>> If the former, you will need to supply configuration specific to
>>>>>>>>>> that
>>>>>>>>>> container. If the latter and it is Fuseki 1, there is a Stack
>>>>>>>>>> Overflow
>>>>>>>>>> answer for it:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> https://stackoverflow.com/questions/28310045/enable-https-ssl-on-fuseki-server
>>>>>>>>>>
>>>>>>>>>> but the links seems to be dead. The idea is to supply your own
>>>>>>>>>> Jetty
>>>>>>>>>> configuration (Jetty is the servlet container that the Fuseki
>>>>>>>>>> command
>>>>>>>>>> uses).
>>>>>>>>>> For Fuseki 2, I think it is still under development? You could use
>>>>>>>>>> a
>>>>>>>>>> reverse
>>>>>>>>>> proxy in front of Fuseki, in that case.
>>>>>>>>>>
>>>>>>>>>> ---
>>>>>>>>>> A. Soroka
>>>>>>>>>> The University of Virginia Library
>>>>>>>>>>
>>>>>>>>>> On Aug 17, 2015, at 7:07 PM, Jason Levitt <[email protected]>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> Sorry if this is a FAQ, but I'm wondering if there are
>>>>>>>>>>> any guidelines online to setting up
>>>>>>>>>>> Fuseki for HTTPS access?
>>>>>>>>>>>
>>>>>>>>>>> Jason
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>>
